Solved

Apache Vulnerability CVE-2022-23181 - Is this affecting Commvault ?

  • 2 February 2022
  • 6 replies
  • 1199 views

Badge +1

In relation to Apache bug CVE-2022-23181 is this affecting any Commvault releases ?

“This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.”

icon

Best answer by Aplynx 2 February 2022, 18:47

View original

If you have a question or comment, please create a topic

6 replies

Userlevel 6
Badge +13

I don’t see anything on this at the moment. Might be quicker to open a support request to get an answer.

Userlevel 6
Badge +13

Commvault is not affected by this CVE because we have disabled session persistence on our web applications, as described here:

https://tomcat.apache.org/tomcat-9.0-doc/config/manager.html#Disable_Session_Persistence

 

E.g., if you check our apps’ context entries in ContentStore\Apache\conf\server.xml file, they will contain this setting:

 

<Manager pathname="" />

Badge +1

Thanks for the info provided @Aplynx  :ok_hand:

Badge +4

Hello,

Need your help to understand below requirement..

Does the below Apache Tomcat vulnerabilities fixed in 11.24.34? or these are related to OS vulns?

Do we have any document to check which Vulns are fixed in which version?

 

Reported Vuls:
Apache Tomcat: Important: Information Disclosure (CVE-2016-6816)
Apache Tomcat: Low: XSS in SSI printenv (CVE-2019-0221)
Apache Tomcat: Low: Unrestricted Access to Global Resources (CVE-2016-6797)
Apache Tomcat: Low: System Property Disclosure (CVE-2016-6794)
Apache Tomcat: Important: Remote Code Execution (CVE-2017-12617)
Apache Tomcat: Low: Security Manager Bypass (CVE-2016-6796)
Apache Tomcat: Low: Security Manager Bypass (CVE-2016-5018)
Apache Tomcat default installation/welcome page installed
Apache Tomcat: Low: Timing Attack (CVE-2016-0762)

Userlevel 7
Badge +23

@Theja , we generally have vulnerabilities list on our docs.

Here’s an example:

https://documentation.commvault.com/11.24/essential/146231_security_vulnerability_and_reporting.html

Are there any you are not seeing listed?

Userlevel 6
Badge +13

Do you have an example audit\security report that is flagging CommVault as being vulnerable to these additional Apace exploits?